Network Attacks
Network Attacks
1
Topics
 Sniffing
 IP
address spoofing
 Session hijacking
 Netcat
o General-purpose network tool
Network Attacks
2
Sniffing

Sniffer gathers traffic from LAN
o Can see packets in real time
o Usually, interface put in promiscuous mode
o Gathers everything, regardless of IP address

Sniffer is useful for attacker
o And useful for administrator

Sniffer can collect data such as …
o ID/password sent over telnet, DNS, email
messages, files sent over NFS, etc.
Network Attacks
3
Sniffing
 Attacker
who has access to LAN can
sniff packets
o Usually requires admin/root privilege
o Typically, use sniffer to gather pwds
 Sniffing
can be used in “island
hopping” attack
o Next slide
Network Attacks
4
Island Hopping Attack
Network Attacks
5
Sniffers
 Freeware
sniffers include
o windump --- port of tcpdump
o Snort --- sniffer/IDS
o Wireshark (formerly, Ethereal) --- able
to decode lots of protocols
o Sniffit --- popular with attackers
o Dsniff --- perhaps most powerful
Network Attacks
6
Passive Sniffing Thru a Hub
 Recall
that hub broadcasts everything
 Passive
Network Attacks
sniffer sees everything
7
Snort
 Snort:
open source, UNIX-based IDS
 Started out as a sniffer
o Still can serve as a capable sniffer
o Why does sniffer-to-IDS make sense?
 Snort
not often used by attackers
o Has more features than attacker needs
Network Attacks
8
Sniffit
 Sniffit
popular with attackers
o UNIX-based
 Sniffit
has “interactive mode”
o Keeps track of individual sessions
o Can view these as separate conversations
Network Attacks
9
Sniffit Interactive Mode
Network Attacks
10
Wireshark

Wireshark (formerly Ethereal)
o Available for many platforms
o Probably easiest sniffer to use, great UI, etc.

Wireshark is a “protocol genius”
o Decodes every bit of packet

“Follow TCP stream” function
o Select a TCP packet, view entire connection
Network Attacks
11
Wireshark
Network Attacks
12
Sniffer as Scanning Tool
 Nmap,
Nessus, etc., may be detected
o Active
 Sniffer
is passive, so no such risk
o What can be determined by sniffing?
 May
be able to ID OS (maybe even
version of OS)
o E.g., based on way connections are made
Network Attacks
13
P0f2
 Tool
to passively ID OS
 Available for most platforms
 To “fingerprint” OS’s network stack
o Can also ID firewall, NAT, etc.
 What
info does it use?
 TTL, IP ID, other?
Network Attacks
14
P0f2
Network Attacks
15
Switch
 Recall
Network Attacks
that switch does not broadcast
16
Active Sniffing
 Sniffing
thru a switch?
 Switch limits what you see with
sniffers such as Wireshark
 May be able to “sniff” thru switch by
inserting traffic
o Dsniff and Ettercap
Network Attacks
17
Dsniff
 Developed
by developer of
FragRouter
 Dsniff decodes lots application level
protocols
o FTP, telnet, POP,…, Napster, pcAnywhere
o Makes it easy to find passwords
 Dsniff
Network Attacks
also has active operations
18
Dsniff
Switch remembers MAC addresses
 MAC address flooding

o Dsniff sends packets with random spoofed MAC
addresses
o Switches address memory eventually exhausted

Then what does switch do?
o It depends…, but some start acting like hubs
o If so, then passive sniffing works
Network Attacks
19
Dsniff
What to do if flooding fails?
 ARP spoofing (ARP cache poisoning)

o Attacker sets “IP forwarding” on his machine to
default gateway (router)
o Attacker poisons ARP cache so that he appears
to be default gateway
o Attacker see all traffic destined for outside
world, and traffic still sent to default gateway
Network Attacks
20
Default Router
Network Attacks
21
Spoofed “Default Router”
Network Attacks
22
Dsniff ARP Spoofing
 How
could this be detected?
 What happens when packet sent from
attacker to default gateway?
o IP forwarding is “really simple routing”
o So, TTL is decremented
o Could be detected by, say, traceroute
 How
can attacker avoid this?
Network Attacks
23
Ettercap
 Ettercap
uses method known as “port
stealing” to sniff switched LAN
o Sometimes, hard-coded MAC addresses
o In such case, ARP poisoning not possible
 Port
stealing may be an option
Network Attacks
24
Ettercap

Switch associates MAC addresses to each
of its physical ports
o Mapping created by examining packets

Ettercap floods LAN with frames
o Attacker’s MAC address is destination
o Source MAC address is victim machine (e.g.,
default gateway)

What does this accomplish?
o Switch associates default gateway with its
physical port on which attacker resides
Network Attacks
25
Ettercap
Port stealing
 So far… switch thinks default gateway on
same physical port as attacker

o Note: ARP tables on hosts not affected
Then attacker can sniff data intended for
victim
 How does attacker then get these packets
to the default gateway?

Network Attacks
26
Ettercap
 So
far… packets intended for gateway
can be sniffed by attacker
 How to get these packets to gateway?
o Forward packets to switch with
gateway’s MAC address?
o That won’t work!
Network Attacks
27
Ettercap
Attacker sends ARP request for IP
address of gateway
 When attacker sees response

o Knows switch has also seen response

So what?
o Now switch send data intended for gateway to
the gateway
o Attacker can then send buffered data

Brilliant!
Network Attacks
28
Port Stealing
Network Attacks
29
DNS Spoofing

Dsniff can send false DNS info
o Used to redirect traffic

Victim tries to resolve name via DNS
o Attacker sniffs DNS request
o Attacker responds quickly with bogus IP
o Victim goes to bogus address

Works provided bogus reply arrives first
Network Attacks
30
DNS Spoofing
Network Attacks
31
Sniffing SSL and SSH
 Dsniff
webmitm enables man-in-themiddle (MIM) attack
 Send certificate signed by bogus
“CA”
o
o
o
o
In SSL, browser warns use, and …
…warning is ignored
In SSH user is warned, and …
…warning is ignored
Network Attacks
32
Sniffing SSL and SSH
 Man-in-the-middle
o Politically correct: “monkey-in-the-middle”
Network Attacks
33
Simplified SSL Protocol
Can we talk?, cipher list, RA
certificate, cipher, RB
{S}Bob, E(h(msgs,CLNT,K),K)
Alice
h(msgs,SRVR,K)
Data protected with key K
Bob
S is pre-master secret
 K = h(S,RA,RB)
 msgs = all previous messages
 CLNT and SRVR are constants

Network Attacks
34
SSL MiM Attack
RA
certificateT, RB
Alice
{S1}Trudy,E(X1,K1)
h(Y1,K1)
E(data,K1)




RA
certificateB, RB
Trudy
{S2}Bob,E(X2,K2)
h(Y2,K2)
E(data,K2)
Bob
Q: What prevents this MiM attack?
A: Bob’s certificate must be signed by a
certificate authority (such as Verisign)
What does browser do if signature not valid?
What does user do if signature is not valid?
Network Attacks
35
Sniffing SSL
Network Attacks
36
Firefox Certificate Warning
Network Attacks
37
IE Certificate Warning
Network Attacks
38
Webmitm Output
Network Attacks
39
SSH Sniffing
 SSH
gives a warning too
o Specifically mentions MiM attack
o Still, it’s easy to ignore
 Ettercap
also does SSH MiM
o But Ettercap is not really in the “middle”
o It establishes key with client, then
connects client to server using same key
Network Attacks
40
Other Dsniff Features
Tcpkill --- kill active TCP connection
 Tcpnice --- “shape traffic” using, e.g.,
ICMP source quench
 Filesnarf --- grab NFS files
 Mailsnarf --- grab email
 Msgsnarf --- grab IM traffic
 Urlsnarf --- grab URLs from HTTP traffic
 Webspy --- view web pages victim views

Network Attacks
41
Sniffing Defenses

Use secure protocols
o SSL, SSH, SMIME, PGP, IPSec
Do not use telnet for sensitive info
 Take certificate warnings seriously
 Prefer switches to hubs
 Hard code MAC addresses, if possible
 Static ARP tables, where possible

Network Attacks
42
Sniffing Defenses
Use tools to detect promiscuous mode
 Ipconfig (UNIX), PromiscDetect (Windows)
 Sentinel looks for anomalies on LAN that
indicate sniffing

o Send packet (ping, for example) with bogus
destination MAC address
o Any reply indicates sniffing

Also, some Windows-specific tools
Network Attacks
43
IP Address Spoofing
 IP
Address Spoofing
o Changing source IP address
 Enables
Trudy to…
o Cover her tracks
o Break applications that use IP address
for authentication
 Previous
Network Attacks
examples: Nmap, Dsniff, …
44
Simple Spoofing

Simply change the IP address
o Ipconfig or Windows network Control Panel

Works when Trudy does not need response
o DoS, for example

Tools for packet crafting
o Hping2
o Nemesis
o NetDude
Network Attacks
45
Simple Spoofing
 Limitations
of simple spoofing
o Trudy cannot easily interact with target
o Spoofing TCP especially difficult
 Interactive
simple spoofing works if
Trudy on same LAN as spoofed address
Network Attacks
46
Simple Spoofing
Network Attacks
47
Predicting Sequence Numbers
 Not-so-simple
spoofing…
o Trusted machines often require no
authentication beyond TCP connection
 Trudy
can pretend to be trusted
machine by spoofing IP address
o To establish connection, Trudy must
predict initial sequence number
Network Attacks
48
Not-So-Simple Spoofing
Network Attacks
49
Not-So-Simple Spoofing
 Note
that…
o Trudy must correctly guess ISNB
o Trudy does not see responses (not a true
interactive session)
o Bob thinks packets came from Alice
o Good attack for r-commands
Network Attacks
50
Spoofing via Source Routing
 Source
routing
o Specify path packet will take
 Loose
source routing
o Specify some hops
 Source
routing makes Trudy’s life
much easier
o Next slide
Network Attacks
51
Spoofing via Source Routing
Network Attacks
52
Spoofing via Source Routing
 Seldom
works across Internet
o Source routing blocked by gateway
 May
work on internal network
o Makes insider attacks easy
Network Attacks
53
IP Spoofing Defenses
 Be
sure ISNs are reasonably random
 Avoid using r-commands
o Or use only with SSH or VPN
 IP
address for authentication … NOT!
 Do not allow source routing
 Be careful with trust relationships
Network Attacks
54
IP Spoofing Defense
 Employ
Network Attacks
anti-spoof packet filters
55
Session Hijacking
Trudy “steals” an existing session
 Network-based session hijacking

o
o
o
o
o

Combines spoofing and sniffing
Alice and Bob have existing connection
Trudy is sniffing packets (on LAN)
Trudy starts injecting packets
Bob thinks packets came from Alice
This works even if strong authentication
used, provided there is no encryption
Network Attacks
56
Session Hijacking
 Also,
host-based session hijacking
 Tools for session hijacking
o
o
o
o
o
Hunt
Dsniff --- sshmitm
Ettercap
Juggernaut
IP Watcher, TTYWatcher, TTYSnoop
Network Attacks
57
ACK Storm
 If
Alice
is alive
during
session
hijack…
o Limits
the
attack
Network Attacks
58
Ettercap
 Ettercap
can prevent ACK storm
 ARP cache poisoning
o Ettercap makes Trudy MiM
Network Attacks
59
Ettercap
Network Attacks
60
Hunt
Hunt offers similar feature as Ettercap
 Includes a “resync” feature that may allow
Trudy out of MiM

o And allow Alice and Bob to continue

Ettercap and Hunt attacks can work even if
Trudy not on same LAN
o Trudy must be on network between Alice & Bob
Network Attacks
61
MiM Attack
Network Attacks
62
Wireless Access Points
All attacks so far also work on wireless
networks
 But wireless has unique attack…
 Access point hijacking

o Given SSID, pretend to be access point
o Then need to get victims to associate with fake
access point
o Tool for this: AirJack
Network Attacks
63
Session Hijacking Defenses
 Use
defenses against spoofing and
sniffing
 Use SSH version 2
o Dsniff and Ettercap MiM work against
SSH version 1
 Pay
careful attention to certificate
warnings
Network Attacks
64
Netcat
 General-purpose
networking tool
o “…single most useful tool … for interacting
with a system across a network”
o “Swiss army knife of network tools”
o If you were stranded on a desert island,
your one attack tool would be Netcat
 You
get the idea…
Network Attacks
65
Netcat
 Send
or
receive
data from
any TCP or
UDP port to
any TCP or
UDP port
Network Attacks
66
Netcat For File Transfer

File transfer: any port, push or pull
Network Attacks
67
Netcat For Port Scanning
 Plain
vanilla port scanning
o Unlike Nmap, which has many options
Network Attacks
68
Netcat: Connect to Open Ports

Connect to open port
o Send data and see what comes back

Better than telnet because
o
o
o
o
o
Easier to redirect output to file
Easier to drop a connection
No telnet control data/characters
No telnet error messages
telnet cannot make UDP connections
Network Attacks
69
Netcat: Vulnerability Scanning
 Netcat
as “vulnerability engine”
o I.e., attacker writes scripts that use
Netcat’s capabilities
o Netcat comes with scripts to check for
vulnerabilites in RPC, NFS, trust, FTP, a
really weak passwords (very limited
compared to Nessus)
Network Attacks
70
Netcat Backdoors
 With
access to a machine, Trudy can
o Start a Netcat listener for future access
o Create an active backdoor (i.e., push data)
 These
are most common uses of
Netcat by bad guys
Network Attacks
71
Netcat to Relay Traffic
 Can
use Netcat to relay traffic
o Trudy can hide her true location
 10
or more “hops” sometimes seen
o Across political/language boundaries
Network Attacks
72
Evade Packet Filter
Network Attacks
73
How to Create Netcat Relay?
 Three
popular techniques
 Modify inted in UNIX/Linux
o Add a line to inted.conf file
 “backpipe”
on UNIX/Linux
o Use mknod: pipes data in FIFO order
 Relay
Network Attacks
bat file in Windows
74
Backpipe
Network Attacks
75
Netcat Listeners
By default, Netcat listener is
nonpersistent
 In Windows version, can create persistent
listeners
 In UNIX, requires a little more work from
Trudy to get same effect

o see book for details
Network Attacks
76
Netcat Honeypots
 Good
guys can create Netcat
(persistent) listeners
o These can be used as honeypots
Network Attacks
77
Netcat Defenses

Prevent Netcat file transfers
o Firewall configuration issue

Secure against port scanning
o Minimal number of listening ports

Block arbitrary connections to ports
o Close unused ports

Protect against vulnerability scanning
o Apply patches
Network Attacks
78
Netcat Defenses

Stop backdoors
o Need to know what processes are running so you
can detect rogue processes

Prevent relay attacks
o No single point that attacker can relay around

Stop persistent listeners
o Periodically check for unexpected listening ports
Network Attacks
79
Conclusions
Network Attacks
80
Summary
Network Attacks
81
Netcat
Network Attacks
82